Buy

Denying Access: AccessDeniedException

Let’s login as user again and surf to /new. Since we have the ROLE_USER role, we’re allowed access. In the access_control section of security.yml, change the role for this page to be ROLE_ADMIN and refresh:

# app/config/security.yml
security:
    # ...
    access_control:
        - { path: ^/new, roles: ROLE_ADMIN }
        # ...

This is the access denied page. It means that we are authenticated, but don’t have access. Of course in Symfony’s prod environment, we’ll be able to customize how this looks. We’ll cover how to customize error pages in the next episode.

The access_control section of security.yml is the easiest way to control access, but also the least flexible. Change the access_control entry back to use ROLE_USER and then comment both of them out. We’re going to deny access from inside our controller class instead.

# app/config/security.yml
security:
    # ...
    access_control:
        # - { path: ^/new, roles: ROLE_USER }
        # - { path: ^/create, roles: ROLE_USER }

Denying Access From a Controller: AccessDeniedException

Find the newAction in EventController. To check if the current user has a role, we need to get the “security context”. This is a scary sounding object, which has just one easy method on it: isGranted.

Use it to ask if the user has the ROLE_ADMIN role:

// src/Yoda/EventBundle/Controller/EventController.php
// ...

public function newAction()
{
    $securityContext = $this->container->get('security.context');
    if (!$securityContext->isGranted('ROLE_ADMIN')) {
        // panic?
    }

    // ...
}

If the user doesn’t have ROLE_ADMIN, we need to throw a very special exception: called AccessDeniedException. Add a use statement for this class and then throw a new instance inside the if block. If you add a message, only the developers will see it:

// src/Yoda/EventBundle/Controller/EventController.php
// ...

use Symfony\Component\Security\Core\Exception\AccessDeniedException;
// ...

public function newAction()
{
    $securityContext = $this->container->get('security.context');
    if (!$securityContext->isGranted('ROLE_ADMIN')) {
        throw new AccessDeniedException('Only an admin can do this!!!!')
    }

    // ...
}

In Symfony 2.5 and higher, there’s event a shortcut createAccessDeniedException method:

// src/Yoda/EventBundle/Controller/EventController.php
// ...

if (!$securityContext->isGranted('ROLE_ADMIN')) {
    // in Symfony 2.5
    throw $this->createAccessDeniedException('message!');
}

When we refresh now, we see the access denied page. But if we were logged in as admin, who does have this role, we’d see the page just fine.

AccessDeniedException: The Special Class for Security

Normally, if you throw an exception, it’ll turn into a 500 page. But the AccessDeniedException is special. First, if we’re not already logged in, throwing this causes us to be redirected to the login page. But if we are logged in, we’ll be shown the access denied 403 page. We don’t have to worry about whether the user is logged in or not here, we can just throw this exception.

Phew! Security is hard, but wow, you seriously know almost everything you’ll need to know. You’ll only need to worry about the really hard stuff if you need to create a custom authentication system, like if you’re authenticating users via an API key instead of a login form. If you’re in this situation, make sure you read the Symfony Cookbook entry called How to Authenticate Users with API Keys. It uses a feature that’s new to Symfony 2.4, so you may not see it mentioned in older blog posts.

Ok, let’s unbreak our site. To keep things short, create a new private function in the controller called enforceUserSecurity and copy our security check into this:

private function enforceUserSecurity()
{
    $securityContext = $this->container->get('security.context');
    if (!$securityContext->isGranted('ROLE_USER')) {
        throw new AccessDeniedException('Need ROLE_USER!');
    }
}

Now, use this in newAction, createAction, editAction, updateAction and deleteAction:

public function newAction()
{
    $this->enforceUserSecurity();

    // ...
}

public function createAction(Request $request)
{
    $this->enforceUserSecurity();

    // ...
}

You can see how sometimes using access_control can be simpler, even if this method is more flexible. Choose whichever works the best for you in each situation.

Tip

You can also use annotations to add security to a controller! Check out SensioFrameworkExtraBundle.

Leave a comment!

  • 2015-04-12 weaverryan

    Haha :). Yes, but with the AccessDeniedException, you need to add a use statement! That's why :) (and there are 2 AccessDeniedException's in Symfony, which makes it a bit tricky for beginners).

  • 2015-04-11 Łukasz Zaroda

    How is "throw $this->createAccessDeniedException('message!');" a SHORTCUT to "throw new AccessDeniedException('message!')" ? I mean... come on :P .

  • 2015-02-03 Diego Aguiar

    Wow, great answers, definitely it was useful!

    I'll give it a try to use my own Entry Point (I hope it doesn't get too complicated).

    Thanks for your time :)

  • 2015-02-02 weaverryan

    Hi Diego!

    For why is this working? There are two things happening:

    1) AccessDeniedException is a very special exception. When you throw it, it triggers the part of Symfony that tries to get the user to login (usually by redirecting them to /login). Here's the internals for that: https://github.com/symfony/sym...

    2) If you throw any Exception, it usually triggers a 500. BUT, that's not always true. If the Exception class you're throwing implements a special HttpExceptionInterface (https://github.com/symfony/sym..., then you will not get a 500, but whatever status code returned by that class's getStatusCode() method. The `AccessDeniedHttpException` is one of these: https://github.com/symfony/sym.... It causes a 403 status code, but doesn't trigger the special behavior in (1).

    About your situation, here's my advice (fwiw):

    1) Allow the user to be redirected to /login. This doesn't mean you need to eliminate your iframe popup (keep reading), but *also* allow for the login to be its own page (you could have /login basically be a blank page that has some JS to open your popup, if you really want to - it looks like you're doing something like this already: https://www.esla.pro/soporte/n.... This will make your life much easier. One things Symfony already does is help redirect you back to the original page the user was trying to visit in this situation.

    2) On a case-by-case basis, you can make some links automatically open your login popup. For example, when you render a page, if you could check to see if the user is not logged in (in Twig) and render a link to open the popup instead of, for example, taking the user to the registration page. OR, if a link does something with JavaScript, you could make the AJAX request, and if the user is not logged in, then open the popup.

    If anything, the piece you need to override is called the "Entry Point" - this is the class that's called when Symfony says "the user is trying to access a protected resource, but they are not logged in, let's help them!". This is the class that causes the redirect - the default one is here: https://github.com/symfony/sym.... You may use want to use your own, to, for example, redirect on normal requests, but return a normal 403 on AJAX requests. You could extend the FormAuthenticationEntryPoint class, register your new class as a service, then put your service id on the entry_point key under your firewall: http://symfony.com/doc/current...

    Phew! That's a lot of info, but hopefully it's useful!

    Cheers!

  • 2015-01-30 Diego Aguiar

    Great! AccessDeniedHttpException was the key, I'm not getting redirected anymore.
    Why is this working :)?

    My reason is because my login form is inside an iframe, so I just can't do a redirect. What I need is to show a message saying "You need to login first" and a button which opens the iframe, if login is successful, then redirect to the desired page.

    You can see what I want to achieve in my small site ( https://www.esla.pro ) just click where it says "Inicia Sesion" at the top section.
    I'm translating the whole site to symfony2 :)

    Thanks for your time.

  • 2015-01-30 weaverryan

    Hey Diego :)

    Yes, this behavior is totally by design - it allows the user to get a chance to login to see a secured page. What's your use-case for *not* doing this?

    Either way, the whole point of throwing AccessDeniedException is to "redirect to login if they're anonymous OR show them a 403 error page". If you don't want this, you're always free in a controller to simply return a Response object with a 403 status code (e.g. something like "return new Response("get outta here", 403)". Of course, that means you won't be using your *normal* Symfony 403 error page. If you try want to force a 403, but not do the redirect, throw an exception of the class Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException. If you want to know *why* that works, let me know ;).

    Cheers!

  • 2015-01-29 Diego Aguiar

    Hey Weaver!

    Like always, great work on this tutorials.

    I have a little problem with an automatic redirect by symfony. When I throw that AccessDeniedException to an anonymous user, besides of error page it gets a redirect to Login Page.

    Is there a way to disable that redirect or something? I couldn't find a solution on documentation =/

    Thanks in advance ;]

  • 2014-12-11 weaverryan

    Doh! Fixed it at sha: https://github.com/knpuniversi...

    Thanks!

  • 2014-12-09 Guest

    Hi great tuto,
    Missing ";" in
    function enforceUserSecurity()